On Mon, 22 Aug 2022, Peter Viskup wrote:
[root@prd01a ipsec.d]# ipsec auto --up sp1
002 "sp1" #94: local ESP/AH proposals for sp1 (ESP/AH initiator emitting
proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=ECP_384;ESN=DISABLED
139 "sp1" #94: STATE_V2_CREATE_I: sent IPsec Child req wait response
003 "sp1" #94: dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads: N;
missing payloads: SA,Ni,TSi,TSr
Looks like your other end does not like your PFS or DH group size?
Configuration is similar to this (rightsubnets):
conn sp1
hostaddrfamily=ipv4
clientaddrfamily=ipv4
right=1.2.3.4
rightsubnet=10.10.10.0/24
#rightsubnets={10.10.10.0/24 10.20.20.0/24}
left=100.64.7.8
leftsubnet=100.64.7.0/24
#ikev2
leftauth=secret
rightauth=secret
ikev2=insist
ike=aes256-sha256;dh20
esp=aes256-sha256;dh20
Does the other end not like dh20?
Does the other end not like pfs=yes? Try pfs=no to see what happens
then?
The multinet testconfigurations have the "ikev2=no"
libreswan/east.conf at main · libreswan/libreswan · GitHub
Likely just because it was an IKEv1 test and we kept it the same. There
should be an equivalent ikev2 test, or we should add one :)
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
